Thousands of critical SCADA systems reachable from the Internet are secured by dangerously weak default passwords, a survey carried out with the help of the US Department of Homeland Security has found.
According to a third-party report, Bob Radvanovsky and Jacob Brodsky of consultancy InfraCritical used scripts run through the Shodan search engine - 'Google for hackers' - to identify 7,200 vulnerable logins.
After initially searching 500,000 systems, the pair whittled that list in order to put a number to the problem of vulnerable SCADA interfaces before reporting their findings to the DHS.
"The biggest thing is we are trying to assign a number - a rough magnitude -to a problem plaguing the industry for some time now," Radvanovsky was quoted as saying.
"Until you identify the scope of a problem, no one takes steps to change things. We're doing it on a beer budget; we hope others confirm our results."
The list of SCADA systems included critical infrastructure as well building automation, traffic control and red-light cameras and even crematoriums.
"A lot of these guys want to fix things at 3 a.m. without driving three hours in each direction. It's worth a lot to them to put it up on the Net without thinking hard about the potential consequences," commented Brodsky.
"They'll presume a particular protocol is not well known. These guys think no one will figure it out, but actually, there's a lot of residual information available where you could figure it out. They're not as secure as they think they are."
The DHS had contacted the controllers of the affected systems, the researchers said, although progress to rectify the dangerous insecurity had yet to be confirmed.
"This highlights a great weakness in critical infrastructure both in the US and beyond: security is still firmly rooted in the 20th century," said Chris McIntosh, CEO of security specialist ViaSat UK.
"For example, an attack on the energy grid needn't assault hubs of power generation or sub-stations: communications lines, business networks and even smart meters can be viable points of entry. Incidents could involve manipulating real-time electricity grid management equipment such as transformers and capacitors, resulting in anything up to blackouts of entire regions."
Such systems should always use rigorous authentication and, preferably, and encrypted channel, he said.
"Companies should be working on the assumption that their systems have already been compromised and plan accordingly."
Nearly a year ago, the Shodan search engine was used by an independent researcher to uncover a major flaw in Trendnet home webcams which could allow an attacker to view private video feeds in realtime.